From: Philippe Antoine <contact@catenacyber.fr>
Date: Wed, 15 Dec 2021 20:11:05 +0000 (+0100)
Subject: enip: fix too restrictive check in probing parser
X-Git-Tag: suricata-7.0.0-beta1~1025
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ed11e32076cc72fee15ea8975de29b82c333cd1c;p=thirdparty%2Fsuricata.git

enip: fix too restrictive check in probing parser

As is shown later in the code, enip_len can be
ENIP_LEN_REGISTER_SESSION which is 4, which is
smaller than sizeof(ENIPEncapHdr) which is 24
---

diff --git a/src/app-layer-enip.c b/src/app-layer-enip.c
index cc814bc808..25322ab1a9 100644
--- a/src/app-layer-enip.c
+++ b/src/app-layer-enip.c
@@ -359,15 +359,7 @@ static uint16_t ENIPProbingParser(Flow *f, uint8_t direction,
     uint32_t option;
     uint16_t nbitems;
 
-    int ret = ByteExtractUint16(
-            &enip_len, BYTE_LITTLE_ENDIAN, sizeof(uint16_t), (const uint8_t *)(input + 2));
-    if (ret < 0) {
-        return ALPROTO_FAILED;
-    }
-    if (enip_len < sizeof(ENIPEncapHdr)) {
-        return ALPROTO_FAILED;
-    }
-    ret = ByteExtractUint32(
+    int ret = ByteExtractUint32(
             &status, BYTE_LITTLE_ENDIAN, sizeof(uint32_t), (const uint8_t *)(input + 8));
     if (ret < 0) {
         return ALPROTO_FAILED;
@@ -394,6 +386,11 @@ static uint16_t ENIPProbingParser(Flow *f, uint8_t direction,
     if (ret < 0) {
         return ALPROTO_FAILED;
     }
+    ret = ByteExtractUint16(
+            &enip_len, BYTE_LITTLE_ENDIAN, sizeof(uint16_t), (const uint8_t *)(input + 2));
+    if (ret < 0) {
+        return ALPROTO_FAILED;
+    }
 
     //ok for all the known commands
     switch(cmd) {